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Finfisher Introduction 



Introduction to Finfisher 

Elaman is proud to present its new FinFisher product suite to aid government 
agencies in gathering critical IT information from target computers. This suite 
contains an array of IT solutions to help intelligence agencies gain access to 
information that cannot be procured using traditional methods. 



Operational Features 

• Information gathering 

• Sniffing 

• Exploitation 

• Monitoring 




FinFisher USB Suite 

The FinFisher USB Suite is a set of two USB Dongles, two bootable CDs and 
the FinFisher HQ - a Graphical User Interface (GUI) - for analysis of retrieved 
data. The FinFisher USB Suite has been engineered for use by any agent, 
informant, or basically anyone who is able to gain access to a target 
computer, with minimal computer knowledge. All that needs to be done is to 
insert the USB into the target computer for a short period of time. It can 
extract information like usernames and passwords, e-mails, files and other 
critical system and network information from Windows systems. 



FinFisher Remote Hacking Kit 

When physical access to a target computer cannot be achieved, the FinFisher 
Remote Hacking Kit provides agents with all the necessary tools used by 
professional hackers to remotely gain access to target computers. It consists 
of a notebook running our specially engineered FinTrack operating system, 
various wireless equipment, a 500 GB USB hard-disk containing default 
password lists and rainbow tables, and much more. The FinFisher Remote 
Hacking Kit can be used for internal security assessment as well as IT 
intelligence gathering operations targeting public servers or personal 
computers. 
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FinSpy 



FinSpy is a cutting-edge, professional Trojan horse for Windows systems, 
which enables you to remotely access and monitor target computers. The 
basic functionality includes features like Skype Monitoring, Chat Logging, 
Keystroke Recording, accessing printed and deleted files, and many more 
features. The Trojan horse is completely hidden and all its communications 
are entirely covert. 



FinFly is a transparent HTTP proxy that can modify files while they are being 
downloaded. Elaman has created two versions of this software; the FinFly- 
Lite and the FinFly-ISP. The FinFly-Lite can be used by the agency within a 
local network to append FinSpy or a custom Trojan horse to executables that 
are downloaded by a target computer. The FinFly-ISP can be integrated into 
an Internet Provider's network to infect en masse or targeted computers. 



Network and system security are top priorities in today's changing world. For 
this reason, Elaman provides FinAudit - a security assessment of the 
customer's network and computers carried out by a high specialized Tiger 
Team to ensure the customer is protected as much as possible from local and 
remote attacks. 

FinTraining 

Elaman offers highly specialized FinTraining courses to educate agents in 
various offensive and defensive security topics. Apart from the Basic Hacking 
courses, several advanced courses can be given, including topics such as 
Hacking Voice-over-IP, Hacking Wireless Systems, Basic Cryptography and 
many more. The level of training is highly dependent on customer knowledge 
and special training courses can be customized to meet specific customer 
needs. 

DEVELOPMENTS IN 2008 
FinFly-ISP 

FinFly is a transparent HTTP proxy that can modify files while they are being 
downloaded. The FinFly-ISP can be integrated into an Internet Provider's 
network to infect en masse or targeted computers. 



Elaman has developed FinCrack - a high-speed super cluster for cracking 
passwords and hashes. It currently supports password recovery for Microsoft 
Office documents, NTLM /LM (Windows user hashes), WPA wireless 
networks, UNIX DES (Unix password hashes), WinZip protected files, and 
PDF password-protected files. 

FinWifiKeySpy 

FinWiFiKeySpy is a device for remotely sniffing keystrokes of commercial 
wireless keyboards (e.g. Microsoft, Logitech) that are within the Wi-Fi device 
range (20-50 m). The device also enables the customer to remotely control 
the wireless keyboard and thus control the target computer. 



Elaman is developing the FinBluez - a product that enables agencies to do 
various advanced attacks against Bluetooth devices like mobile phones, 
headsets and computers. For example, FinBluez is able to record the audio 
stream between a headset and a mobile phone or utilize common Bluetooth 
headsets as audio bugs. 



FinFly 



FinAudit 



FinCrack 



FinBluez 



elaman 

qehmAn SECuntTY solutions 



FinFisher IT Intrusion Products 





elaman 



o 



Finfisher Products 



Finfisher HQ 

The FinFisher HQ software is the main software for FinFisher 1 and 2. It is 
used to configure the operational options of the two devices and to 
import/decipher the gathered data and generate reports according to the 
FinFisher type. 

It can also be used to update and repair FinFisher 1 and 2 device systems. 
The FinFisher HQ Software shows all gathered and imported data in a sorted 
list. 



Screenshot: 

File Dongle Crypto Help 



| Type | Username | Computer 



ffa02956 Sat Sep 22 16:04:09 2007 1 
ffa00268 Mon Jul 30 1 0 : 22 : 33 2007 1 



MaJoMu 
MaJoMu 



Import 



View Data 



[■e!.:te Data 



[Welcome" to FinFisher HQ 



FinFisher HQ supports Windows systems equal to and newer than 
Windows 2000 and is pre-installed on the FinFisher Hacking PC. 



FinFisher 1 

FinFisher 1 is a U3-enabled USB device that is activated when inserted into 
the target's system with no or little user intervention. 



The functionality is configured using the FinFisher HQ software. The gathered 
data is also deciphered, imported and analyzed by the FinFisher HQ software. 
The data collected by the device is stored in encrypted form and can only be 
decrypted and accessed at Headquarters where the HQ software is running. 
It uses a private-/public-key cryptography mechanism by utilizing various 
known algorithms. 

This prevents data from being disclosed or the device being misused should it 
be lost or stolen. Furthermore, the operational agent cannot be forced to 
decipher the data as he would need the private key, which remains on the HQ 
system. 
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FinFisher Dongle 1 Configuration 



Generic Settings 

0 Bypass Anti-Virus / Anti-Spy ware Tools 
@ Display Progress During Operation 



System 

0 LSA Secrets Dump 

1 I Installed Windows Updates / Hotf ixes 
I I Product Keys Of Microsoft Software 

0 Auto-Injected DLL's 

1 I Runnig Processes 

I I Autorun Software 



Passwords 

0 Windows Account Hashes 

0 E-Mail Accounts 

0 Messenger Accounts 

0 Network Passwords 

0 Dial-Up Accounts 

0 Protected Storage Password 

0 PST Protection Passwords 

0 Remote Desktop Passwords 

0 Internet Explorer Stored Passwords 



Network 

□ Open TCP / UDP Ports 

I I Network Adapter Information 

0 Internet Explorer History 

0 Mozilla Firef ox History 

0 Wireless WEP / WPA Keys 

0 Outlook Auto-Complete E-Mail Addresses 

0 Mozilla Firef ox Cookies 



OK 



Cancel 



The device indicates when the data gathering process is finished so that the 
agent knows when to remove it from the system. 

If removed prematurely, due to operational necessity, the device will not be 
damaged, or compromise the security of the gathered data or the software 
contained on the device. 

The device contains a component that deactivates and then reactivates all 
known installed Anti-Virus/Anti-Spyware software. 

The device contains the following data gathering capability (subject to the 
information being available on the target's PC and accessible by the FinFisher 
device): 

• Displays Windows user accounts and password hashes 

• Displays details of passwords and other email account information on the 
following email applications: Outlook Express, Microsoft Outlook 2000 
(POP3/SMTP Accounts only), Microsoft Outlook 2002, IncrediMail, Eudora, 
Netscape Mail, Mozilla Thunderbird, Group Mail Free, and Web-based 
email accounts. 

• Displays username and password details of MSN Messenger, Windows 
Messenger (Windows XP), Yahoo Messenger (Version 5.x/6.x), ICQ Lite 
4.X/2003, AOL Instant Messenger, AOL Instant Messenger/Netscape 7, 
Trillian, Miranda, and Gaim / Pidgin 

• Displays stored passwords for network shares 

• Displays details of all Dial-Up accounts, including the user name, password, 
and the domain 

• Displays the details of the lost password of Outlook .PST (Personal 
Folders) file 



• Displays stored remote desktop passwords 
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• Displays passwords stored by the Internet Explorer 

• Displays the list of all LSA secrets stored in the registry. The LSA secrets 
may contain RAS/ VPN, Auto-logon and other system passwords / keys 

• Displays the content of the protected storage which might contain various 
passwords 

• Displays the list of all installed Windows updates (Service Packs and 
Hotfixes) 

• Displays the product ID and the CD-Key of MS-Office, Windows, and SQL 
Server 

• Displays the list of DLLs that are automatically injected into every new 
process 

• Displays the list of all processes currently running. For each process, it lists 
all modules (DLL files) that the process loads into memory. For all 
processes and modules, additional useful information displayed is: product 
name, version, company name, description of the file, and the size of the 
file 

• Displays the list of all applications that are loaded automatically when 
Windows boots. For each application, additional information is also 
displayed (product name, file version, description, and company name) 

• Displays the list of all currently opened TCP and UDP ports. For each port 
in the list, information about the process that opened the port is also 
displayed, including the process name, full path of the process, version 
information of the process (product name, file description, and so on), the 
time that the process was created, and the user that created it 

• Displays information about the target network adapters: IP addresses, 
hardware address, WINS servers, DNS servers, MTU value, number of 
bytes received and sent, the current transfer speed, and more. In addition 
display general TCP/UDP/ICMP statistics for the target computer. 

• Displays all information from the history file on the target computer, and 
display the list of all URLs that the target has visited with the Internet 
Explorer browser in the last few days. 

• Displays the details of all wireless network keys (WEP/WPA) stored by the 
'Wireless Zero Configuration 1 service of Windows XP 

• Displays all auto-complete e-mail addresses stored by Microsoft Outlook 

• Displays all cookies stored by Mozilla Firefox 



FinFisher 1 supports Windows systems equal to and newer than 
Windows 2000. 



Finfisher 2 

FinFisher 2 is a U3-enabled USB device that is activated when inserted into 
the target's system with little or no user intervention. 

The functionality is configured using the FinFisher HQ software. Furthermore, 
the gathered data is deciphered, imported and analyzed by the FinFisher HQ 
software. 
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FinFisher Dongle 2 Configuration 



Generic Settings 



0 Bypass Anti-Virus / Anti-Spyware Tools 
0 Display Progress During Operation 



E-Mails 

0 Outlook / Outlook Express 
0Mozilla Thunderbird 
0 Opera Mail 



Files By Type 
0 Activate File Gathering 

0 Search All Disks 

O Search %HOMEPATH% 

O Search Location: 



File Extensions: Ldocj.xls 



( separate extensions with V ) 



OK Cancel 



The data collected by the device is stored in encrypted form and can only be 
decrypted and accessed at Headquarters where the HQ software is running. 
It uses a private-/public-key cryptography mechanism by utilizing various 
known algorithms. 

This prevents data from being disclosed or the device being misused should it 
be lost or stolen. Furthermore, the operational agent cannot be forced to 
decipher the data as he would need the private key, which remains on the HQ 
system. 

The device indicates when the data gathering process is done so the agent 
knows when to remove it from the system. 

If removed prematurely, due to operational necessity, the device will not be 
damaged, or compromise the security of the gathered data or the software 
contained on the device. 

The device contains a component that deactivates and then reactivates all 
known installed Anti-Virus/Anti-Spyware software. 

The device contains the following data gathering capability (subject to the 
information being available on the target's PC and accessible by the FinFisher 
device): 

• Copies any locally stored emails (Microsoft Outlook, Outlook Express, 
Mozilla Thunderbird, and Opera Mail). 

• Copies files with a specific file extension after making a search through all 
local drives. 

FinFisher 2 supports Windows systems equal to and newer than 
Windows 2000. 



FinFisher 3 

FinFisher 3 consists of two bootable CD-ROMs. 

The devices have to be inserted and the target system has to be rebooted. 
Little user-interaction is required during the whole process. 

The devices contain the following functionality: 
• Clears the windows administrator password 



• Securely wipe the local hard-disks 
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FinSpy 

FinSpy is a professional Trojan horse that can be used by law enforcement 
agencies to monitor the computer system of targetted persons that run a 
Microsoft Windows operating system (Windows 98 to Windows Vista). 
The package offers the capability to monitor one or multiple systems using a 
centralized server and dedicated clients. 

The FinSpy package can be used even by agents without advanced IT 
technology knowledge as it provides a simple point-and-click user interface. 
The FinSpy Trojan horse executable itself is fully customizable and will look 
different on every target system. It also utilizes all up-to-date techniques to 
hide itself and all its activities from the system and, therefore, is hard to 
detect. 

FinSpy Components: 

• FinSpy Client: The user interface that is used by the agents to get access 
to the target's system and gather information or control (e.g. reconfigure 
or remotely delete) the FinSpy Target 

• FinSpy Server: Central server where all infected clients connect and 
publish their availability and basic system information. The server is also 
contacted by the FinSpy Client to get the infected target list 

• FinSpy Target: This is the package that is used for the infection and is 
installed on the target system 

• FinSpy U3-USB Dongle: A U3 USB dongle that contains software to 
deactivate all running Anti-Virus/Anti-Spyware software and installs the 
FinSpy Target component with little or no user interaction 

• FinSpy Antidote: Software to detect and remove FinSpy Target that can 
also prevent the installation 

• FinSpy Proxy: (Optional) A proxy that forwards connections between 
FinSpy Target and FinSpy Server that can be used to have multiple active 
public IP addresses and limit the possibility of detection by researchers 

FinSpy Features: 
Certificate based encryption 

All communication and data is enciphered using RSA certificates. 
Custom Executables 

For each client, a customized executable will be created which prevents 
detection by Anti-Virus and Anti-Spyware utilities. 

File Access 

The remote file system can be accessed and all files can be viewed, edited 
and downloaded. Custom files can also be uploaded to the target system. 

Key-logging 

All keystrokes can be recorded to a file which enables FinSpy to even view 
text that is sent through SSL or Skype sessions. 

Password Sniffing 

A password sniffer can be started in the background that collects all 
passwords for plain-text protocols like POP3, IMAP, Samba Shares, FTP and 
many more. 
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Webcam Recording 

The webcam of the target system can be utilized to monitor the target person or 
environment. 

Microphone Recording 

The microphone of the target system can be utilized to monitor the target person 
or environment. 

Timing based operations 

All operations and functionality of FinSpy can be scheduled by days and hours. 
Local Passwords 

FinSpy can provide a list of local passwords for applications like Windows, E-Mail 
clients, Messengers and many more. 

E-Mail Dumping 

E-Mails can be dumped to a file before they are sent in order to be able to analyze 
even SSL enciphered mail traffic. 

Chat Logging 

Various instant messenger and chat protocols can be monitored. This includes 
MSN, ICQ, IRC and Skype. 

Auto-removal 

FinSpy can remove itself automatically from a target's system without leaving 
traces if selected by an agent or scheduled by the configuration. 

Live Configure 

All options of FinSpy can also be configured at run-time and additional modules 
can be loaded. 

Live Update 

The FinSpy Target itself can be updated to the newest version even at runtime 
using the client's software. 

IP notification 

When the IP address of the target system is changed, it will send the new 
address to the centralized server. 

Country Tracing 

Using the IP address, the target's location is traced and traveling is detected by 
displaying the actual country, plus the previous countries where the target was 
located. 

Generic system information 

Generic system information can be retrieved which includes installed software, 
auto-run programs, etc. 

Remote Command Shell 

A remote command shell on the target's system can be accessed to manually 
execute custom commands. 



Connect-back 

FinSpy is able to create a reverse connection on arrival of a specially crafted 
packet. This helps bypassing Firewalls and especially NAT-enabled environments 
where the client does not have a public reachable IP address. FinSpy supports 
Windows systems equal to and newer than Windows 98. 
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FinFly 

FinFly is a transparent HTTP proxy that can modify content while it is being 
downloaded. 

It can be used to infect executables that are downloaded from a web server 
with FinSpy or custom Trojan horses. 

Using the configuration file, IP addresses can be selected which means that 
only a certain range or a single address is going to be infected or a certain 
range should be ignored by the proxy. 

FinFly comes with a special loader that merges the Trojan horse with the 
original executable. On execution, the Trojan gets installed, is removed from 
the original and then the original executable gets executed. Using this 
technique, most common malware detection mechanism of common Anti- 
Virus/Anti-Spyware utilities can be bypassed. 

Optionally, the proxy can be extended to modify any other file types and also 
totally replace files while they are being downloaded. 

FinFly supports Linux systems equal to and newer than 2.6. Windows 
and BSD support can be added upon request. 



FinFisher Hacking PC 

The FinFisher Hacking PC consists of a robust notebook plus various hacking 
equipment. 

It can be used to locally (Wireless LAN, Bluetooth) or remotely attack single 
systems or networks. The kit is equipped with all generic components that 
are used by professional hackers. 



The equipment includes: 



Notebook 


1 Steatite M230 Ruggedized Notebook 


Wireless 


1 PCMCIA Wireless Adapter 

1 Bluetooth Adapter (modified to support 

antennas) 

1 Directional antenna 

1 Omni-directional antenna 


Ethernet 


1 USB-to-Ethernet adapter 
1 Cross-over Ethernet cable 
1 Ethernet cable 


Storage 


1x 500 GB hard disk (including rainbow 
tables, default password lists, etc) 


Case 


1 Case 


Misc 


1 Power Surge Adapter 
1 CD-Holder 
Windows Driver CD's 



The software includes: 

FinTrack - An operating system based on BackTrack/Linux that includes 
patched wireless drivers, all common and up-to-date hacker tools and lots of 
additional scripts for easier and faster usage. 



Windows XP - Including the FinFisher HQ software and all common up-to- 
date hacker tools that are available for the Windows platform. 
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FinAudit 

FinAudit is a 1 or 2 week professional penetration testing for a given network 
to discover the possible vulnerabilities in systems and software and helps in 
securing the network IT environment. 

The audit can be done remotely and locally. A local audit should be always 
considered to detect all attack vectors for local, physical and especially insider 
attacks. 

FinAudit includes a complete IT-based penetration test against the available 
and publicly used infrastructure and all public and internal systems. 
A complete audit and fixing of discovered vulnerabilities helps to prevent 
attacks and information disclosure. 

Single software can also be checked for vulnerabilities, including a full source- 
code analysis. 

At the end of the penetration testing, a detailed report including all possible 
attack vectors and vulnerabilities, including a presentation of the report and 
consulting, are delivered. 

On request, a service to help secure the network, system and 
communications can also be provided. 
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Finfisher Training List 



FinTraining Course Overview 


Course No. 


Course name 


Duration 


Location 


Number of 
students 


8601-1 


FinTraining Intensive Basic Hacking 
Course 

Aim: Practical knowledge of IT hacking 
of networks and exploiting their 
weaknesses using the FinFisher 
Remote Hacking Kit 


1 week 


Europe or 
in-country 


2 to 4 
students 


8601-2 


FinTraining Extended Basic Hacking 
Course 

Aim: In-depth knowledge of IT hacking 
of network and exploiting their 
weaknesses using the FinFisher 
Remote Hacking Kit 


2 weeks 


Europe or 
in-country 


2 to 4 
students 


8602 


FinTraining Advanced Exploiting 
Software 

Aim: How to exploit bugs in software 
for intell manipulations 


1 week 


Europe or 
in-country 


2 to 4 
students 


8603 


FinTraining Advanced RootKits 

Aim: How to use, detect, and enhance 
rootkits 


1 week 


Europe or 
in-country 


2 to 4 
students 


8604 


FinTraining Advanced VoIP Hacking 

Aim: How to manipulate VoIP servers 
and clients as well as monitoring of 
VoIP communications 


1 weeks 


Europe or 
in-country 


2 to 4 
students 


8605 


FinTraining Wireless Hacking 

Aim: How to gain access to wireless 
LAN networks/Bluetooth 
devices/wireless keyboards 


1 week 


Europe or 
in-country 


2 to 4 
students 


8606 


FinTraining Covert Communications 

Aim: How to hide specific information 
in protocols/media/cryptography. 


1 week 


Europe or 
in-country 


2 to 4 
students 


8608 


FinSpy Training 

Aim: Specialized training on FinSpy 
Trojan horse usage 


1 week 


Europe or 
in-country 


2 to 4 
students 
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Finfisher Hacking Course 



Course 8601 Intensive/Basic/Extended 





FinTraining 8601-02: Basic Hacking Course For Beginner 








(2 weeks) 


indepth 








Monday 


Tuesday 


Wednesday 


Thursday 


Friday 




FinFisher 


Profiling 


Profiling 


Attacking 


Attacking 




• FinFisher HQ 


Foot printing 


Enumeration 


Passwords 


Web security 




• FinFisher 1 


• Search Engines 


• CGI 


• Bypass 


• Code 




• FinFisher 2 


• Archives 


• NetBIOS 


• Default 


Exposure 




• FinFisher 3 


• Target Websites 


• SNMP 


• Brute force 


• Input 






• "Who is" 


• RPC 


• Cracking 


Validation 




Toolset 


Records 


• NFS 


• Trusted 


• CGI 


T — 


• FinFisher Hacking 


• DNS Analysis 


• Other 




• XSS 


CD 


PC 


• First Contact 






• SQL Injection 


1 


• Equipment 

• FinTrack 


Scanning 

• Mapping 

• Port scanning 

• Service 
Fingerprinting 

• OS Fingerprinting 

• Analysis 






• Other 




Attacking 


Attacking 


Attacking 


Attacking 


Attacking 




Exploits 


Root-kits 


Network 


Wireless LAN 


Bluetooth 




• Overflows 


• Backdoors 


• Sniffing 


• Discovery 


• Discovery 


<M 
■V 


• Format Strings 


• Hiding 


• Rerouting 


• Encryption 


• Attacks 


CD 


• Race Conditions 


• Log-cleaner 


• War-dialing 


• Advanced 


• Hardware 


i 


• Archives 

• Exploiting 

• Frameworks 

• Fuzzer 






• Hardware 


Advanced 
• Custom 
Exploits 
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Course 8602: Advance Exploiting Software 



Fintraining: Exploiting Software 




Monday 


Tuesday 


Wednesday 


Thursday 


Friday 


t — 

CD 


Introduction 

• Famous Examples 

Vulnerabilities 

• Code Exposure 

• Authentication 
Bypass 

• Unexpected Input 

• SQL Injection 

• XSS 

• Race Conditions 

• Overflows 

• Format Strings 


Exploits 

• Online Archives 

• Modification and / 
Customization 

• Frameworks 


Finding Bugs 

• Source-Code 
Analysis 

• Fuzzing 

• Debugging 


Writing 
Exploits 

• Unexpected 
Input 

• Overflow 

• Format-String 


Examples 

• Web- 
Applications 

• Server 

• Clients 

• Embedded 
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Finfisher Development 2008 



FinFly-ISP 

FinFly is a transparent HTTP proxy that can modify files while they are being 
downloaded. The FinFly-ISP can be integrated into an Internet Provider's 
network to infect en masse or targeted computers. 

FinCrack 

Elaman has developed FinCrack - a high-speed supercluster for cracking 
passwords and hashes. It currently supports password recovery for: 

• Microsoft Office Documents 

• NTLM/LM - Windows user hashes 

• WPA wireless networks 

• UNIX DES - Unix password hashes 

• WinZip protected files 

• PDF password-protected files 

Modules for other files and hash types can be provided upon request. The 
size of the supercluster is completely customized according to the customer's 
requirements. 

The FinCrack will be available at the end of 2008. 
FinWifiKeySpy 

FinWiFiKeySpy is a device for remotely sniffing keystrokes of commercial 
wireless keyboards (e.g. Microsoft, Logitech) that are within the Wi-Fi device 
range (20-50 m). The device also enables the customer to remotely control 
the wireless keyboard and thus control the target's computer. 
The FinWiFiKeySpy will be available at the end of 2008. 

FinBluez 

Elaman is developing the FinBluez - a product that enables agencies to do 
various advanced attacks against Bluetooth devices like mobile phones, 
headsets and computers. For example, FinBluez is able to record the audio 
stream between a headset and a mobile phone or utilize common Bluetooth 
headsets as audio bugs. 

More information coming soon! The FinBluez will be available at the end of 
2008. 



IT INTRUSION -FinFisher Product Suite 




• Information Gathering 

• PC Surveillance 

• Hacki ng 

• Information Exploitation 

• Information Interception 




Components 
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• FmFisher USB Suite 
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• Fin Fisher Remote Hacking Kit 




• FinSjDy 




• FinFly 




• RnTraining 




• FinAudit 




• New Products- 2008 





FinFisher USB Suite 



• Suite to locally extract information from 
target systems with little or no user 
interaction 

• Data analysis/ Report generation at Head- 
quarters 



Components 



FinFisher USB Suite 

- FinFisher HQ 

- FinFisher 1 

- FinFisher 2 

- FinFisher 3 

Fin Fisher Remote Hacking Kit 

FinSfcy 

FinFly 
FinTraining 

FinAudit 

New Products - 2008 



FinFisher HQ 



• Graphical User Interface for FinFisher 1 and 2 

• Used to configure operational options 

• Generates certificates for encryption 

• Deci phers and i mport s dat a f rom dongl es 

• Generat es r $>ort s f rom gat hered dat a 

• Updates FinFisher 1 and 2 systems 



FinFisher HQ 



Delete Data 
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File Dongle Crypto Help 



ID 



Date 



Type | Username Computer 



ffa02956 Sat 5ep 22 16:04:09 2007 1 MaJoMu MJM 
ffa0026S Mon Jul 30 10:22:33 2007 1 MaJoMu MJM 



Import 



View Data 



Welcome to FinFisher HQ 



Components 


• FinFisher USB Suite 
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- FinFisher HQ 




- FinFisher 1 




- FinFisher 2 




- FinFisher 3 




• FinFisher Ftemote Hacking Kit 




• Fin^y 




• RnFly 




• FinTraining A 




• RnAudit / 




• New Products- 2008 / 
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FinFisher 1 



U3 USB Dongle 

Executes on insertion with little or no user 
intervention 

Obtains system and account information for: 

Windows Accounts 

E-Mail Accounts (Microsoft Outlook/ Express, ..) 
Instant Messenger Accounts (MSN, Yahoo, ICQ, ..) 
System Details (Product Keys, Hotfixes, ..) 
Network Information (Open Ports, Cookies, History, 
■■) 

All gathered data is asymmetrically enciphered, 

Bypasses installed Ant i -Virus/ Ant i-Sfcyware 
software 



FinFisher 1 



Fin Fisher Dongle 1 Configuration | X | 
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Generic Settings 

0 Bypass Anti-Virus / Anti-Spy ware Tools 
0 Display Progress During Operation 



Passwords 

0 Windows Account Hashes 

0 E-Mail Accounts 

0 Messenger Accounts 

0 Network Passwords 

0 Dial-Up Accounts 

0 Protected Storage Password 

0PST Protection Passwords 

0 Remote Desktop Passwords 

0 Internet Explorer Stored Passwords 

OK 



System 

0 LSA Secrets Dump 

1 I Installed Windows Updates / Hotf ixes 
I I Product Keys Of Microsoft Software 
0 Auto-Injected DLL's 

0Runnig Processes 
] Autorun Software 



Network 



□ Open TCP/UDP Ports 

I I Network Adapter Information 

0 Internet Explorer History 

0 Mozilla Firef ox History 

0 Wireless WEP / WPA Keys 

0 Outlook Auto-Complete E-Mail Addresses 

0 Mozilla Firef ox Cookies 



Cancel 
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Components 


• FinFisher USB Suite 


elaman i<<3* 


ii^nw^h 1 1€ it n 1 1 "J lulu 1 1 u*i a ^^^^V^ 


- FinFisher HQ 




- FinFisher 1 




- FinFisher 2 




- FinFisher 3 




• FinFisher Ftemote Hacking Kit 




• Fin^y 




• RnFly 




• FinTraining A 




• RnAudit / 




• New Products- 2008 / 
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FinFisher 2 


• U3USBDongle 


elaman I^a 

QtlHAN HCUltTt ft a LOTIG HI ^^^m 


• Executes on insertion with little or no user 




intervention 




• Gets a copy of all locally stored E- Mai Is from 




the target system 




• Obtains specific files by file-extension (e.g. all 




.doc and -xls files) 




• All gathered data is asymmetrically enciphered 





• Bypasses installed Ant i -Virus/ Ant i-Spyware 
software 




FinFisher 2 



FinFisher Dangle 2 Configuration 



Generic Settings 

W\ Bypass Anti-Virus / Anti-Spy ware Tools 
0 Display Progress During Operation 



E-Mails 



0 Outlook / Outlook Express 
0Mozilla Thunderbird 
0 Opera Mail 



Files By Type 
0 Activate File Gathering 

0 Search All Disks 

0 Search %HOMEPATH% 

0 Search Location: 



File Extensions: 



.docj.xls 



( separate extensions with ';' ) 



OK 



Cancel 
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Components 


• FinFisher USB Suite 


elaman i<<3* 


ii^nw^h 1 1€ it n 1 1 "J lulu 1 1 u*i a ^^^^V^ 


- FinFisher HQ 




- FinFisher 1 




- FinFisher 2 




- FinFisher 3 




• FinFisher Ftemote Hacking Kit 




• Rn^y 




• FinFly 




• RnTraining A 




• RnAudit / 




• New Products- 2008 / 
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FinFisher 3 



2 Bootable CD-Roms: 

1. Removes password for selected Windows 
user account 



2. Securely wipes local hard-disks 



Components 




elaman I^a 


• FinRsher USB Suite 


QtlMJLU MUUItff bULUIIUHS ^^B^ 


• FinFisher Remote Hacking Kit 




• FinS|Dy 




• FinFly 




• RnTraining 




• FinAudit 




• New Products- 2008 
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FinFisher Remote Hacking Kit 



• Used for remote information gathering 

• Provides up-to-date hacking environment 

• Can taget public servers and personal 
computers 



FinFisher Remote Hacking Kit 



• Ruggedized notebook 

• Fi nTr ack operat i ng syst em 

• Various scrpts for automating attack 
procedures 

• All major up-to-date hacking tools 



FinFisher Remote Hacking Kit 


• High-power Wireless LAN adapter 


elaman I^a 


qtiMAU muuitiY bULunuHs ^^B^ 


• Bluetooth adapter with antenna plug 




• Directional/ Omni-directional antenna 




• 500 GB USB disk containing Rainbow Tables, 




I r 1 ■ ||" ■ ■ 

default password lists, etc. 




• USB-to-Bhernet adapter 




• PS' 2 and USB Keylogger 




• Other / 
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Components 




elaman I^a 


• FinRsher USB Suite 


qtiMAU muuitrt bULunuHs ^^B^ 


• Fin Fisher Ftemote Hacking Kit 




• FinSpy 




• FmRy 




• FinTraining 




• RnAudit 




• New Products- 2008 
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FinSpy 



Professional Trojan Horse 

Monitor and remotely access one or multiple 
systems 

Presence on target system is hidden 

All communication is hidden and enciphered 

Components: 

- FinSpy Client 

- FinSpy Server 

- FinSpy Target 

- Fin^y US&U3 Dongle (Target) 

- FinSpy Antidote 



FinSpy 


• Features: 


elaman I^a 

DtiHAN neuitTt ft a Lima hi ^^B^ 


- Custom Executables 




- Bypasses Ant i -Virus/ Ant i-Spyware Software 




- Location Tracing 




- Scheduled Operations 




- Key Logging 




- Password Gatherinq 




- Webcam/ Microphone Access 

- Communication Shifting: 






• Sype 




• Instant Messengers (ICQ, Yahoo, ..) / 




/'"V ]r\r-\v I 

— utner / 
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Components 




elaman I^a 


• FinRsher USB Suite 


qtiMAU muuitrt bULunuHs ^^B^ 


• Fin Fisher Ftemote Hacking Kit 




• FinSpy 




• FinFly 




• FinTraining 




• RnAudit 




• New Products- 2008 
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FinFly 


• Used to infect executables while downloading 


elaman I^a 


• ConriDonents: 




— Transoarent HTTP Proxv 




— CAE l_UclUt2l 




• rroxy attacnes I rojan HorsG sonware to 




UUW I II UdU^U UXUuUl dUI co Ul 1 LI IU 1 1 y 




• Loader removes attached software from 




Hnwnl o^HpH pypnitahlp pftpr in<tfpllatinn 

\J\J VV 1 II UCIUUU CAUwU L CLKJ 1 VZ7 dl L CI II IOL Cll 1 CIL 1 VJI 1 




• Can be used on local networks (e.g. Wireless 
LANs) 






• ISP Version to come in 2008 / 
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Components 




elaman I^a 


• FinRsher USB Suite 


qtiMAU muuitrt bULunuHs ^^B^ 


• Fin Fisher Ftemote Hacking Kit 




• FinSpy 




• FmRy 




• FinTraining 




• RnAudit 




• New Products- 2008 
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FinTraining: Basic Hacking Courses 



• 1 or 2 week basic hacking overview 

• Covers various common hacking techniques 


elaman 


Diihaii luuinv launiDMi ^^^m 


• Practical examples, demonstrations and 




exercises 




• Topics include: 




- Foot printing/ Scanning/ Enumeration 




- Networks 




- Exploits 




-Wireless LANs 




-Bluetooth A 




-Other / 
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FinTraining Advanced: Exploiting Software 



• 1 \A/c±c±l( pni iro^ 


elaman 


\JJ V t?l o UULJo 1 1 1 oUI L Well U dl IU UA|JI Ul L 1 1 iy 

t hpQP 
L 1 ICoC 


Diihaii luuinv launiDMi ^^^^ 


• Prprtiral pypmnlp^ Hpmon^t rations pnH 

1 1 Clv/L 1 v/CLI CAdl 1 1 kJ 1 t/Oj >J 0 1 1 IVJI IOL 1 CIL 1 Ul IO Cll l\J 




exercises 




• Topics include: 




- Software Bugs 




- Exploit Archives/ Frameworks 




-Shell code 




- Finding Bugs 




- Customizing Exploits 




-Other / 
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FinTraining Advanced: Rootkits 


• 1 week course 


elaman I^a 

QtlMJLU MUUItff bULUIIUHS vflH/ 


• Covers Root Kit and Troian horse 




techniques 




• Practical examples, demonstrations and 




exercises 




• Topics include: 




-Analysis 




- Usage 




-Detection 




- Development 




-Other / 
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FinTraining Advanced: Hacking VoIP 


• 1 week course 


elaman I^a 

Diihaii luuinv launuiMi ^^V^ 


• Covers Voice-over- IP eavesdroDDina and 




various attack techniques 




• Practical examples, demonstrations and 




exercises 




• Topics include: 




-KTP Shifting 




- RTP Insertion 




- 9P Account Brute-Forcing 




- 9P Account Cracking 1 




-Other / 
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FinTraining Advanced: Wireless Hacking 



• 1 week course 


elaman 


• Covers Wi rel ess LANs, Bl uet oot h and 




Wireless Keyboards 

J 




• Practical examples, demonstrations and 




exercises 




• Topics include: 




- Wi rel ess LAN WEP/ WPA Cracki ng 




- Bluetooth Link-Key Cracking 




- W rel ess Keyboard Sniffing 




-Q her 
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FinTraining Advanced: Covert Comms 


• 1 week course 


elaman I^a 

Diihaii luuinv launuiMi ^^V^ 


• Covers steaanoaraphv, encryption, network 




and application protocols 




• Practical examples, demonstrations and 




exercises 




• Topics include: 




- Hiding data in objects 




- Hiding data in streams 




- Hiding VoIP communication 




-Q her 
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FinTraining Advanced: More 



• More topics upon request 


elaman 

QtlMJLU lUUItff bULUIIUHS ^^B^ 


• Courses are customized according to 




customers needs and skill-set 
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Components 




elaman I^a 


• FinRsher USB Suite 


qtiMAU muuitrt bULunuHs ^^B^ 


• Fin Fisher Ftemote Hacking Kit 




• FinSpy 




• FmFly 




• FinTraining 




• Fin Audit 




• New Products- 2008 
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Fin Audit 



• 1 or 2 week penetration test 

• Security check of networks, systems and 
software 

• Helps analyzing various attack vectors and 
finding vulnerabilities 

• Prevents data disclosure and intrusion 

• Finalizing report and consulting services 



Components 




elaman I^a 


• FinRsher USB Suite 


qtiMAU muuitrt bULunuHs ^^B^ 


• Fin Fisher Ftemote Hacking Kit 




• FinSpy 




• FmRy 




• FinTraining 




• RnAudit 




• New Products- 2008 
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News 2008: FinFly ISP 



• FinFly that is capable of working in ISP 
networks 

• Can infect en- masse or targeted systems 

• Fteady: Mid/ End of 2008 



News 2008: FinCrack 



• R jnff-CI U9t pr to rrark Pa^worri^ Ha^hp^ 

VI/ vlUOlul L U vl ClvlX 1 ClOOVVUI VJu 1 IUOI IV/O 


elaman 


• Q 7p onH QnooH pi ictnmi7DH tn roni liromontc 

Olu cXl IU C|JCt7U OUol Ul 1 II Z.CU LU 1 ULJUII t?l 1 It7l 11 o 




OU|J|JUI L o. 




— IVIIOIUoUll V-ylllUU LAJUUI 1 It7l 1 1 o 




— NTI K/V 1 M 

IN 1 L IVr LI VI 




— VVrAA INIolVVUI l\o 




- Unix DES 




- WinZIP 

V VI 1 l^—l 1 




- PDF 




• Other modules can be provided upon request 




• Ready: Md/ Bid of 2008 1 
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News 2008: FinWifiKeySpy 



• Wireless Keyboard Sniffer 

• Shifts all keystrokes of wireless keyboard within 
antenna range 

• Able to inj ect keyst rokes t o remot e comput ers 

• Slipportsall major vendors (Microsoft, Logitech) 

• Ready: End of 2008 



News 2008: FinBluez 



Product for various Bluetooth attacks, e.g.: 

- Utilize Bluetooth headsets as audio bugs 

- Record audio stream between headset and 
mobile phone 

Ready: End of 2008 



